You can use a Lambda function to update the security group’s rules dynamically whenever AWS publishes new internal service IP ranges for CloudFront.
Use AWS SSO to Deny permissions for IAM and SSO itself
You do not need to create SSO in different AWS account to restrict or Deny permissions to users for different services especially IAM and SSO itself.
How to create Azure KeyVault and Secrets using Azure release pipeline (using PowerShell script)
You can use PowerShell to create a key vault and secrets and assign access policy to users, groups or Apps.
How to protect resources in CloudFormation Stack from being Deleted or Replaced using Stack Policy
If you have already created a stack with out any stack policy then you can apply stack policy to this stack using AWS CLI only. This can’t be done through Console.